|
Use parameterised queries, unless there is a good reason not to. If there is a good reason not to, escape input on the server side when making up the query. Validating input fields in this way is one of the worst ways to prevent attacks (because it stops users entering legitimate information).
|
|
|
|
|
We are in a way undertaking a parameterised queries. I am actually building a query tool in wpf and restricting what sort of queries a user can run. All I am trying to do is where a user sets a constraint, such name like = 'Bob', that they cannot enter a reserved word or use it to launch an attack. This is why I am looking for a regular expression!
|
|
|
|
|
But what if the user's name includes a banned character (e.g. O'Donnell)? I'm sure there are a few people with surnames that are database reserved words, too. This is why you should escape whatever is passed to you so it isn't an injection string, not 'validate' in such a way that legitimate user input is excluded.
Producing a safe SQL string is relatively easy if what you're escaping is always going to be a quoted parameter, you need to escape quotes, and a good idea to do semicolons for paranoia too.
|
|
|
|
|
If you are using PHP at the front end this is a very helpful tutorial:
Clickety[^]
The generally accepted advice is to escape non alphanumeric characters in text entry boxes and
mysql_real_escape_string() should do the job for you if it is PHP at the front end...
Continuous effort - not strength or intelligence - is the key to unlocking our potential.(Winston Churchill)
|
|
|
|
|
It is WPF or windows presentation foundation in c# with an Oracle 10g database not php and mysql
|
|
|
|
|
Check this out:
oracle_sql_injection_attacks[^]
It is also the responsibility of the DBA to ensure that, whatever you pass in to Oracle, you are not able to create an injection attack - so talk this over with the DBA too.
Continuous effort - not strength or intelligence - is the key to unlocking our potential.(Winston Churchill)
|
|
|
|
|
We have already done this, but what we are doing is creating a query tool that runs against a query database that is copy of the main database. The users queries run against some views, because the users can create any number of combination of queries against these views it is not possible to binding or any of the usual stuff. Therefore, we have to be as flexible as possible. We control what they can select on and join on with the views but we cannot control their constraints such "name Like "Bob".
Therefore, it is imperative for me to have away of stopping "Bob; 'DROP TABLE'" type situations.
|
|
|
|
|
Hi,
Just wanted to let you know that it is not me down-voting you comments.
I hope you find a solution, when you do let us know
Continuous effort - not strength or intelligence - is the key to unlocking our potential.(Winston Churchill)
|
|
|
|
|
One of the problems will be having to keep it up to date.
Something that's easy to do is to see if the string contains multiple statements separated by semi-colons;
see my LibSql.SplitSqlStatements method in here[^].
|
|
|
|
|
in my application i create a msmq , before creating the queue i check for existence and if exist delete it and then create, this works fine, but sometimes i get an exception saying "access denied" a security exception.
when creating the msmq i assign the permission too for the local user through "environment.user"
but still i get this exception ,
appreciate your ideas about this .
thanks in advance.
|
|
|
|
|
hello guys... I want to get a row from the table that was changed but got no clue what to do? Here is what I tried butcertainly it not working
SqlCommand cmd = new SqlCommand();
cmd.CommandType = CommandType.StoredProcedure;
cmd.CommandText = "StoredProcedure";
DataTable dt = this.GetDataTable(cmd);
string row = st.RowChanged
|
|
|
|
|
Well this depends on what you mean by Changed.
Did you make the change to the current dataset and haven't yet posted (committed) the changed?
You last looked at a table last week, and you want to now whats changed since then?
You have a dataset open, and you want to know some else had changed something with the dataset?
Please explain what you are trying to do and then the answers will hopefully come.......
|
|
|
|
|
Lets suppose that I changed the City from London to Paris of a particular record OR a number of records using some C# app. Now I want to get this/these rows.
modified on Friday, July 15, 2011 7:37 AM
|
|
|
|
|
|
Is your table stored in a datawarehouse i.e. is it a type2 warehouse etc?
If it is a datawarehouse you are accessing the data from then it should be a simple(read simple to complicated here) matter of looking at the expired date and effective date columns of rows...
Continuous effort - not strength or intelligence - is the key to unlocking our potential.(Winston Churchill)
|
|
|
|
|
Hi
Is it possible to have a variable ONLY show decimals if it does have decimal values? E.g. if the value comes back grom the database as 500 then instead of showing 500.00, it should just show 500. If it comes back as 500.55, then it should show 500.55. Please note that I do not want to use string formatting here as I want to retain the decimal type for sorting purposes.
|
|
|
|
|
So I found a way of doing this. If you use Decimal.ToDouble it seems to do the job
|
|
|
|
|
Converting your Decimal value to Double may result in loss of precision. Instead, keep it Deciamal and use ToString() to display it in a certain format.
|
|
|
|
|
I am not sure which version of .Net you are using but in VS 2010(.Net 4.0) in a winforms app, this seems to be the default behaviour. I know if I want to always show the decimal part (500.00), that is when I need to go the ToString route. I just tested with a listbox and with textboxes, and I get no decimal points if the decimal is a whole number.
...and I have extensive experience writing computer code, including OIC, BTW, BRB, IMHO, LMAO, ROFL, TTYL.....
|
|
|
|
|
From a general programming point of view you should never change your data type to satisfy display requirements, if by changing that datatype you remove precision.
Converting to a double will lose some precision.
Although very little precision is generally lost - if you are performing financial calculations this can cause a problem further on down the line when figures do not match.
So it really is better to stick with decimal and then to format it for display - otherwise you may be asking for trouble later when the FD asks "Why don't the totals match?"...
Continuous effort - not strength or intelligence - is the key to unlocking our potential.(Winston Churchill)
|
|
|
|
|
Hear, Hear.
...and I have extensive experience writing computer code, including OIC, BTW, BRB, IMHO, LMAO, ROFL, TTYL.....
|
|
|
|
|
I agree with you.
I Love T-SQL
"VB.NET is developed with C#.NET"
If my post helps you kindly save my time by voting my post.
www.cacttus.com
|
|
|
|
|
I`m not too concerned with precision. At the moment it works perfectly - If I do have decimals it keeps the decimals and if I don't then it shows the whole number. I just tested this by creating a random decimal of 4.4567, converted it to a double and the value stayed the same
|
|
|
|
|
Etienne_123 wrote: ONLY show decimals
Show it where?
|
|
|
|
|
Etienne_123 wrote: I do not want to use string formattin
What is displayed on screen is a string that is currently using the default formatting, so doing a custom string format is the correct way. The sort should be done on the real values regardless of how it's displayed IMO, this way therer is no issue.
|
|
|
|